Something Corrupts My System Files After Sfc Cleans Them

Recommended Posts

Hi, the symptoms of the malware are extensive and varied. It presented 3 weeks ago a day after a Dell service technician replaced my laptop hard drive with a brand new one, and then installed non-existent firmware on it. Dell are refusing to comment aside from offering to refund my laptop's purchase price. Upon noticing how fast my laptop was running after the Dell scum left, I formatted my desktop and another laptop's hard drives, and installed Win7 from a flash drive I created on the Dell. The next day, everything went to sh.t.

The first peculiar thing I noticed was some applications on my desktop refusing to run when I double-clicked on them. Messages would pop up saying I didn't have permissions and to contact my Administrator (I am always logged in as Administrator). I tried to uninstall / delete but unable to. I tried d/l'ing Revo Uninstaller and the .exe file was deleted immediately upon install. The same thing happened with most AV 'solutions' and malware scan utilities. I had been running MS Security Essentials and iObit 360 and both were running through full scans saying everything was peachy. I uninstalled oBit's software fine, but MS Security Essentials was impossible to get rid of. I noticed a Windows Service for MS Security Essentials but I could not Stop or Disable it as everything was greyed out.

Trying to manually delete files, I noticed most of my desktop's applications had strange permissions added. To start with, Trusted Installer had become the owner for most of them, and I was unable to reclaim ownership as Administrator as Trusted Installer had also taken over Audit and Special Permissions for my C: drive as Creator Owner. There were also a lot of listed Permissions for User S-1-21-xxx (long hash code) etc, on almost every executable file.

I formatted using the Win7 Ultimate genuine discs and installed Trend Micro Titanium, which was immediately patched and I had similar problems getting rid of that to try other AV 'solutions'. Webroot went the same way. ESET was even worse, running through Full scans saying everything was fine, whilst Firewall rules were being added to let in the hacker-world-at-large.

Forum 'experts' have proved painfully slow, utterly clueless, surprisingly dull and creepily pathetic, in their nauseating refusal to address pointed queries and their shameful willingness to simply declare anything they don't understand is 'fine', whilst they ignore detected rootkits which haven't been cleaned on my system but simply no longer show on scans. They have pronounced my systems clean on the basis of a Malwarebytes clean scan (which has said everything is fine, on every scan from the start), ignoring the fact that Gmer's first ever scan result was unaddressed...

Microsoft tech support are either hilariously incompetent or just simply vile. They receive the evidence I send them, then claim they didn't. They've accused me of imagining it all, and advised me to quickly report it to the "Cyber Police". They're idiots (and that's really being diplomatic).

Frustrated and out of ideas, with one hard drive destroyed (admitted possibly by frustrated uninstalls of hidden non-plug&play drivers I did en masse one day), I purchased a new hard drive and low-level formatted (dban) my laptop's hard drive. I flashed the BIOS on each hard drive, and with all network adapters deactivated, I then installed Win7 Ultimate onto the 'clean' hard drives with the same Win7 genuine advantage disc. Before going online, I installed McAfee Total Protection, and then individually took each system online to download the latest of Microsoft's endless security patches for the thousands of exploitabilities in their retarded OS.

With everything more or less stable for 3-4 days following the huge effort, I breathed a sigh of relief. Which turned into a furious scream yesterday, when I realised Windows Update was refusing to...Update. Critical security patches were deemed unnecessary, and I have to manually download and install them. They patch nothing, which isn't surprising. Every time I do a command line scan with System File Checker, corrupted system files are found and replaced. Hours later, they're all corrupted again and sfc /scannow 'fixes' them all again. Back and forth.

I think I've finally worked out what's corrupting them, but I don't have a clue how to address it.

Somehow the 8 hour low-level format I conducted (prior to flashing the BIOS) on my Latitude didn't affect the cbs.log as it's showing logs from a fortnight before the low-level format. I thought that was impossible?

In each cbs.log, I have endless repetitions of activity which are highly suspect. I don't know 100% which sections are or aren't logs of legitimate activity (and I would wager a lot neither do Microsoft, which explains why they are useless / refuse to assist). But I'm pretty sure I can finger some parts which are *not* legit.

In my desktop cbs.log, the only "clients" which initialize sessions are:

SPP (a few times)

WindowsUpdateAgent (00's or 000's of times)

In my laptop cbs.log, the following "clients" initialize sessions:

DISM Package Manager Provider (x 2)

lpksetup (x 20)

WindowsUpdateAgent (x 00's or 000's)

Software Explorer (x 20)

SPP (x 7)

I think the lpksetup client sessions are highly suspect. Although I'm basing that primarily on this thread below and because I can't think of a legitimate reason for silent language pack operations to be occurring.

My cbs.log files are many tens of thousands of lines / pages from only the last 3 weeks. But after a sfc /scannow clean, I turned on my laptop the next day and stuff started happening silently pretty much instantly without any prompt or signal whatsoever. I then ran another sfc scan and it replaced all the corrupted system files. The cbs.log excerpt for those two events only (20 min apart) are here: http://justpaste.it/98y

10 min after SFC replaced all the corrupted files in the excerpt above, the silent process kicked into gear again, uploading corrupted replacements from the offline registry hive. I ran SFC again, even more corrupted files cleaned and replaced. Around and around we go...switched-off computers are waking up on their own accord, and it creeps me out.

MBAM / SAS couldn't find a prostitute in a brothel. I seriously think they're both redundant and worthless. Immunet isn't really working at the moment, screenshot: Immunet Rootkit Scan

Share this post

Link to post

Share on other sites

Mostly out of boredom, I tried a ComboFix scan again. After the malware blocked it a few times saying it wasn't compatible with Vista or 7, I tried it in Safe Mode and it ran through it's 70 stages or w/e and delivered a logfile - anything of value/interest in this huge log?

Sigh. I spent an hour bashing my thick head against a wall trying to launch the ISO image from a virtual drive as I've run out of writable discs. And then I remembered you posted 2 links lol - 30 seconds later, I was booting from a USB.

I only did one pass, as that took a pretty long time by itself, I'm hoping that's sufficient? The report was that everything was fine, no memory errors.

After the low-level format were your partitions still intact?

I was certain dban obliterated everything, even the BIOS. After the low-level format, when I turned on the laptop, there was just a black empty screen. I could only boot with the Win7 genuine advantage disc, and there was just the single partition when it installed (I believe it automatically creates a 2nd system reserved partition if user doesn't).

Can you post the Support Diagnostic Tool logs? (you can run it from Immunet's start menu)

Hmm - what's the best way to post the logs?

Immunet_Support_Tool_2011_03_12_06_53_38.7z

You aren't permitted to upload this kind of file

I had uninstalled Immunet and was trying to get Kaspersky installed but was unsuccessful, Kaspersky kept saying I had to get rid of clamav 1.0.26 and literally nothing I could think of was working. I was just about to reinstall Immunet and try uninstalling it again, when I noticed your response. So I'm not sure if the logs will have full history or just the last hour's...

Link to post

Share on other sites

I was running a Full Scan and just woke up and it seems like it might have updated, the Yellow circle is now Green and says "Up To Date" - the scan is still going though, 10 hours and counting....seems long...

Is there any reason to believe your system is still infected?

Yes. Every time I run sfc /scannow, 5 minutes later a process silently corrupts the files again, uploading from an offline registry hive.

I ran Security Check and it says my Java is out of date (it's not), but when I try to d/l Java again, it gives this error message:

Googling the 1606 Error took me to Application Data (I forget why) but it says "Access is Denied" for my own folders.

I'm logged in as Administrator but I cannot take control of some of the Windows Image folders/files that are being used to make my life hell...

My systems are crawling. My desktop will be completely powered down and then it'll just switch on automatically, it really creeps me out.

It's all a huge mess.

Aren't the virtual drives ultimately stored on a physical drive ... that you wiped?

Well I thought so. But reading now, it seems like things weren't that simple.

Does DBAN wipe the Host Protected Area ("HPA")?

No.

Most vendors that are using the HPA have a toggle for it in the BIOS setup program. Future releases of DBAN may override or dishonor the HPA.

Does DBAN wipe remapped sectors?

Use the ATA-6 wipe method if you want to wipe remapped sectors. Most methods do not wipe remapped sectors.

Why doesn't DBAN detect the disks in a RAID array?

DBAN has drivers for most RAID implementations, but DBAN does not automatically disassemble RAID volumes.

The operator must manually disassemble RAID volumes and put each component into "JBOD" or "SINGLE" mode for the disks to be recognized by DBAN.

Share this post

Link to post

Share on other sites

I can only assume anyone reading this is studying up on the threats I've brought to light.

Oh lol, apologies, I momentarily forgot where I was posting. In 3 weeks, I feel I know more than most AV 'experts'.

Children can run an AV scan. And professionals, if they're AV-industry professionals. Unfortunately, that appears to be the extent of it.

I've had 30 conversations like this with paid professionals in the last month.

Every forum, everyone goes silent. That's fine, not understanding something is fine, but I would have assumed professionals in this industry were problem solvers. In 3 weeks, from near computer illiteracy, I've come very close to learning enough to solve this myself - I would think it should take a literate computer expert mere minutes to study up, even if they knew nothing about it. I guess I thought wrong, by the number of threads on forums I find, where people are having very similar problems....

Then do the 'sfc /scannow', wait the time required for the files to get corrupted again, run another sfc to be sure they changed, and now stop procmon, and save

the log it created.

If you compress that log, is it small enough to upload here?

Hi Edwin, thanks for your response. Apologies for not checking back, but my frustrations with the silences across a range of forums, and every expert I hired continuing to charge me without solving anything except the question of their competence...was wearing me down.

I can't say with any certainty that they were the same files as I've moved to Linux ubuntu, awaiting the Chrome OS. I think Windows is dead, and Microsoft is finished. But I am unable to know if considerations of justice are clouding my objectivity.

But I'm pretty sure the files were the same corrupted replacements. Because WFP is flawed beyond belief. It treats the deployed silent unattended installation as the 'correct' one, so I was effectively corrupting my OS with my Genuine Advantage discs and with SFC /scannow.

Then do the 'sfc /scannow', wait the time required for the files to get corrupted again, run another sfc to be sure they changed, and now stop procmon, and save

the log it created.

If you compress that log, is it small enough to upload here?

Hi Edwin, I installed Win7 Ultimate again after the issues were crashing my Linux distributions as well. And I remembered this post, so I ran Procmon and immediately hit sfc /scannow but..in the mere minutes it took to verify, over 8,000,000 (8 million) processes were recorded by Procmon.

And to top it off, I hadn't waited long enough for the files to be corrupted again lol, and it's been quite a few hours since the last corruption, the results of which I have logged of course (over 3000 cbs.log entries for the single sfc /scannow a few hours ago).

It filled 8 procmon log files in the 10 minutes or so that it took to run the scan which didn't find any violations. To get two sfc /scannow outputs, with the silent process replacing all the files in between, we're talking hundreds of millions of processes!

I assume that kind of output is of no use?

As I was writing that out, I thought "oh that can't be right, it must have been 800,000 or something" - so I just ran it again. In 7 minutes, 7 million processes monitored. This is non-stop.

Share this post

Link to post

Share on other sites

In that case I don't think that you are dealing with a virus, but rather some kind of hardware defect.

Which Linux distribution did you use, and with what error message did it crash?

ubuntu 10.4, 10.10 and 11.04 and Mint 10.10. The crashing isn't the concern, crashing is merely a side-effect of being hacked. Very similar problems to Windows but not as rapidly destructive (huge directories and sub-directories of folders /files no one could really explain; all inaccessible with sudo of course; some recursion which slowed my systems down but wasn't really a problem, it just reflected all the virtual terminals that I couldn't access, which were a problem; a lot of permission denied messages logged in as root or with sudo, trying to access SSH connections and services that I didn't install, were certainly not default, and which couldn't be killed by sudo, and even losing sudo altogether trying to uninstall a Samba service which was never installed - the huge directories of samba-related files I couldn't access certainly weren't default - which gave me flashbacks of how this all started with TrustedInstaller over-riding INBUILT Administrator permissions).

goscuter1@goscuter1-Latitude-E6500:~$ rpcinfo -p

program vers proto port

100000 2 tcp 111 portmapper

100000 2 udp 111 portmapper

100024 1 udp 55518 status

100024 1 tcp 37408 status

100021 1 udp 49813 nlockmgr

100021 3 udp 49813 nlockmgr

100021 4 udp 49813 nlockmgr

100021 1 tcp 43446 nlockmgr

100021 3 tcp 43446 nlockmgr

100021 4 tcp 43446 nlockmgr

100003 2 tcp 2049 nfs

100003 3 tcp 2049 nfs

100003 4 tcp 2049 nfs

100227 2 tcp 2049

100227 3 tcp 2049

100003 2 udp 2049 nfs

100003 3 udp 2049 nfs

100003 4 udp 2049 nfs

100227 2 udp 2049

100227 3 udp 2049

100005 1 udp 50908 mountd

100005 1 tcp 43996 mountd

100005 2 udp 50908 mountd

100005 2 tcp 43996 mountd

100005 3 udp 50908 mountd 100005 3 tcp 43996 mountd

The nlockmgr is part of the file locking manager system for NFS. It forwards local file locking requests to the lock manager on the server system. This service should be disabled if your system is not acting as either an NFS client or server.

The rootkit evidence is pretty overwhelming with every OTL, ComboFix, Gmer, HijackThis etc scan I've ever run (*when they run* or *when the options aren't all greyed out*). But I only just realised I've been stupidly distracted by it all the endless side-effects and not getting at the core issue, which is the deployments being recorded in my cbs.log and windowsupdate.log files. Even they aren't the core issue of course; the core issue is hardware hijacking - which is why my endless zero-filling has just been a complete waste of time.

I agree it's hardware defects, intentionally created, initially by a rootkit or the criminal Dell service technician they're refusing to take responsibility for. I just don't understand enough (or anything) about the hardware. So I get all distracted by the deployed Microsoft-signed patches screwing up Win7 and the entire hard drive's contents. Microsoft are the WORST. But getting at the root of the problem has forced me back to Window, because of course it's very hard to convince a Linux user that the problems are real - I mean, they're not having them! (this is literally their logic sigh).

All these drivers were installed and showing as autoruns in SysInternal's handy app:

- I just unclicked them all after realising every single one of them seemed unnecessary and a vulnerability - this system is running a lot better now, but all these things are side-effects.

I need to secure my system from the network administrators who are using FEP and DISM to deploy all the crap onto my systems.

And they're getting access via the hardware. I have a stack of pics of all the controllers and whatnot, which I'll post shortly as I think they're the key...once I get over the fear of destroying my brand new HTC Desire HD (literally everything gets destroyed, my Nokia N97mini is currently RIP).

Look more closely at what those numbers mean:

"Showing 7,114,492 of 7,142,955 events"

They are events, not processes.

Ah okay. I'm the kind of guy who jumps to conclusions that a program called Process monitor, would be listing processes. But events, processes, it's all semantics to me I'm afraid...I'm quite certain 1,000,000 *events* per minute is not normal. Neither is 7000 cbs.log entries in 41 seconds for a single MSSE patch which MSSE already downloaded 6 hrs earlier.

It would be more interesting if you could start a procmon capture after your SFC scan is finished, and wait till files get corrupted.

It's just side effects, Edwin. In an case, I can see what's corrupting them, it's all being recorded in the logs. I need to focus on blocking the deployments, and I think the answer is either:

figuring out how to clean what DBAN and BIOS flashing and CMOS flushing and MBR fixing cannot; or

figuring out how to be 100% certain my Internet is secure, then just make a bonfire out of the electronics in my apartment.

Either would be fine. I've had 10 weeks of this. That's enough for me. Christ Microsoft are filthy.

Share this post

Link to post

Share on other sites

Hardware. Sigh, I just don't know what all these controllers are, but I'm pretty sure they're suspect. This is for my desktop:

After a 10 hour DBAN, I don't understand these because this BIOS is flashed. What are all these PCI Unknowns - do you think they're the culprit?

This is just more of the scan which starts above. 10 screens of PCI controllers that are too complicated for me to make sense of. I don't really like all the Unknowns. Far too many Unknowns, in this industry...

I dunno; after a 10 hour DBAN, seeing that just makes my stomach churn and god I hope it's the culprit because I have no other suspects now that my modem / router are looking annoyingly innocent.

No DBAN, no you did not.

I'm not sure if this meant anything as I think X: is used as the virtual drive for Recovery but I know corrupt files are being pulled from a repository, so the fact that I can't delete them struck me as annoying:

Oh, and if it wasn't obvious, I'm not using Linux at this point in time. But I've seen "squashfs" and "NFS" before, on my systems where I didn't install them. I don't know what this means now, I was about to burn everything under the belief my connection was secure. But, they're coming through NAT and a hardware firewall with a yawn? vomit...

They're reactive also. It's incredibly creepy. After those PCI pics, I killed PlugNplay and RpcEptMapper and some other services on my laptop. My desktop crashed and I didn't bother zero-filling, I just formatted and installed Windows again, and they're reactive!

If you really want to disconnect the network cable, do a clean Windows install, and work that way for a while.

I'm not sure what you thought I was doing or trying to do; but I assure you the above has been it for a very long time now. The installation logs of a system that has all networking functionality disabled in BIOS; I even took it down to the other end of my building and checked for Wifi with my phone and in a complete dead spot, installed after a zero-fill format...never been online, the installation logs aren't complex.

Those files in /proc are normal: one is created for every process that runs.

Yes. I didn't run the processes.

It is normal that you cannot access them as a normal user, only root can access them.

Yes, I was root. And unable to access them.

You should be able to 'sudo ls -l /proc/2', etc, once you get sudo working.

Oh it always was. Until I'd lose it being too pesky trying to mount an unknown filesystem on my system. Somewhat rudely; as they were never my filesystems.

Most likely you do not use Andrew File System, thus the output from these commands makes no sense.

Yeah you're not really getting it. I absolutely did not want to use AFS, But AFS was accessing my system, so I was attempting to query it. As root, you might note.

Probably because you've run some chmod -R, or chown -R commands in the wrong place

.

Oh good god. I've never run chmod or chown commands in my entire life. I barely do anything except query data until my systems crash. I'm tired of conversations like these; are you just wasting my time?

Linux has extensive logging, so it should be easy to find out why samba got installed (it could have been installed as a dependency of another package).

You can start from /var/log/apt/history.log, and (if you regain sudo) /var/log/apt/term.log.

/var/log/messages is also a good place

.

SO DOES WINDOWS!!!

You can also try asking on various Linux forums/IRC channels, I'm sure you'll find someone to help you if you are patient and willing to listen.

On Launchpad, I had a genius helping me out and he was mostly concerned about AFS accessing my system; more so than I was - I was all fretting over an unexplainable .local domain which was killing Avahi. But I'm using Windows for a few reasons currently, purely functional as I don't know my way around the Terminal yet. And don't have time to learn, because I keep getting pulled into ridiculous conversations proving what I've PROVEN 15 posts back.

It might be that your Windows install media is somehow corrupted, or some program that you install is malicious.

Share this post

Link to post

Share on other sites

Also if you are paranoid download the full install DVD, disconnect your network cable, install, and run that way for a while. Then see that nothing happens when you connect the internet cable.

I just don't know if you're levelling me or having a laugh. But literally what do you think I've been doing after hours of zero-filling? Just jumping straight on the network? for heaven's sake...

Again, if you are paranoid there is tripwire: it creates a secure hash of every file on your system, you can digitally sign it with a key that you keep on removable media, etc.

GREAT..! HOW DO I GET IT ON MY SYSTEMS? Or am I supposed to secure hash in the corruption, you understand that's what's happening? The second the control order from the disc is launched, the PCI controllers launch into action and execute their preset commands. It's all there in the installation logs, thousands of them.

That looks pretty normal: some USB controllers, Audio controllers, Video controller, etc. The unknown ID just means that its ID isn't in the PCI id database, because noone has added it yet.

No. It's not normal. That's utter nonsense. And I'm not going to accept anyone else claiming that 50 virtual terminals on a fresh install or BUILTIN Administrator being unable to do squat or really any of this crap from now on. You think it's normal? Fine, reproduce it. I'm sick of hearing that ridiculous line.

Is your windows installed on C: or X:?

It jumps around. Quite literally. There's a Q drive on my Dell I can't touch. Doesn't really matter much to me, LIKE IT REALLY DOESN'T CHANGE MUCH FOR ME.

Description of problem: PCIe switches allow peer to peer transactions that are routed by the switch and could bypass the VTd translation hardward potentially causing unexpected behavior in the system. ACS allows the system to force the PCIe switch route all traffic upstream so that the VTd hardware can validate all transactions. The virtualization management tools should not allow direct assignment of a device that is below a non-ACS enabled PCIe switch to a guest.

In the above example the '150' is a device specific offset into the PCIeExtended Configuration Space where the Capability is described. So '150' is not special here and may be different for different PCIe functions (just needs to be greater than 0xFF). The PCIe Capability ID for ACS is 0xD (13). So the string "Access Control Services" (using my patched lspci binary) or the string "Unknown (13)" are the important bit here. If you are not using a patched lspci binary it's much more difficult to describe what to look for to see ACS support enabled (easy to see whether it's capable or not by the (lack of) existance of "Capabilities: [???] Unknown(13)").

nb. my problem is that there are virtualisation management tools there in the first place. Virtualisation that I suspect these hidden drivers are related to?

I unticked every single one of them except for the Realtek Lan controller and my system was running brilliantly. At least for a short while....they certainly were not 'default', let alone ESSENTIAL.